What Information Really Matters in Supervisor Reduction?

What Information Really Matters in Supervisor Reduction? Rong Su 1 arxiv:1608.04104v1 [cs.sy] 14 Aug 2016 Abstract To make a supervisor comprehensible to a layman has been a long-lasting goal in the supervisory control community. One strategy is to reduce the size of a supervisor to generate a control equivalent version, whose size is hopefully much smaller than the original one so that a user or control designer can easily check whether a designed controller fulfils its objectives and requirements. After the first journal paper on this topic appeared in 1986 by Vaz and Wonham, which relied on the concept of control covers, in 2004 Su and Wonham proposed to use control congruences to ensure computational viability. This work is later adopted in the supervisor localization theory, which aims for a control equivalent distributed implementation of a given centralized supervisor. But after so many publications, some fundamental questions, which should have been addressed in the first place, have not been answered yet, namely what information is critical to ensure control equivalence, what information is responsible for size reduction, and whether the partial observation really makes things different. In this paper we will address these fundamental questions by showing that there does exist a unified supervisor reduction theory, which is applicable to all feasible supervisors regardless of whether they are under full observation or partial observation. Our theory provides a partial order over all control equivalent feasible supervisors based on their enabling, disabling and marking information, which can be used to categorize the corresponding reduction rates. Based on this result we can see that, given two control equivalent feasible supervisors, the one under full observation can always result in a reduced supervisor no bigger than that induced by a supervisor under partial observation. Index Terms supervisory control, supervisor reduction, control equivalence, partial observation Rong Su is affiliated with School of Electrical and Electronic Engineering, Nanyang Technological University, 50 Nanyang Avenue, Singapore 639798. Emails: rsu@ntu.edu.sg. The support from Singapore Ministry of Education Tier 1 Academic Research Grant M4011221.040 RG84/13 is gratefully acknowledged.

2 I. INTRODUCTION In supervisory control theory (SCT) [6] [12], the control problem associated with a discreteevent system (DES) is to enforce controllable and nonblocking behavior of the plant that is admissible by the specification. When applying SCT to a real application, there are two big questions that require a user to answer, that is, are we doing the right thing, and are we doing things in the right way. The first question is about the correctness of the plant and requirement models. The second question is about correctness of supervisor synthesis, which, if the computational complexity is not a concern, has been properly answered in the SCT community. When computational complexity is indeed a big concern, several efficient synthesis approaches have been proposed in the literature, e.g., [3] [7] [8], which can ensure correct behaviours of the closed-loop system with low computational complexity. The first question, on the other hand, has been a long-standing hurdle for the SCT to be adopted by the industry because so far there is no efficient way to identify potential errors in plant models or requirement models. The current practice is to synthesize a supervisor based on a given plant model and requirements. An empty supervisor is usually an indication that something is wrong either in the model or in the requirements, which will prompt a system designer to undertake model or requirement updates. The current SCT and its relevant tools can assist the designer to quickly locate the problems in the model that lead to emptiness of the supervisor. The real challenge is how to determine whether the plant model and the requirements are correct, when the supervisor synthesis returns a non-empty supervisor. In this case it usually requires not only syntactic correctness but also semantic correctness, i.e., the designer has to understand the true meaning and impact of every transition in the synthesized supervisor. Thus, to make a supervisor small enough for a designer to understand its function becomes extremely important. A supervisor carries two kinds of information: the key information at each state for event enabling/disabling and marking, and the information that tracks the evolution of the plant. The latter may contain some redundancy because the plant itself also carries such evolution information. In principle, it is possible to remove redundant transitional information from the supervisor, which will not mess up with the first kind of information, i.e., a reduced supervisor can still ensure the same control capability as that of the original supervisor. This is the key idea used

3 in Vaz and Wonham s paper on supervisor reduction [10], which relies on the concept of control cover. They proved two useful reduction theorems, and proposed a corresponding (exponential time) reduction algorithm. To overcome the computational complexity involved in supervisor reduction, Su and Wonham made a significant extension in [9] by first relaxing the concept of control cover, then providing a polynomial-time reduction algorithm based on a special type of control cover called control congruence, and finally showing that the minimal supervisor problem (MSP) of computing a supervisor with minimal state size is NP-hard. A polynomial-time lower bound estimation algorithm provided in [9] has indicated that in many applications minimum supervisors can be achieved by using control congruence in polynomial time. Since then, this reduction algorithm has been used in many case studies, and the outcomes are promising. One major application of supervisor reduction is in supervisor localization [1], which aims to create a control-equivalent distributed implementation of a given centralized supervisor. The supervisor reduction theory proposed in [9] has two major setup assumptions: (1) only full observation is considered; (2) a supervisor under consideration is a sublanguage of the plant, and there exists a one-to-one mapping from the state set of the supervisor to the state set of the plant, which can be easily satisfied by applying supremal synthesis. Since then, many questions have been raised by users. For example, can we apply supervisor reduction on partially reduced supervisors, which may not necessarily be sublanguages of a given plant, or can we apply supervisor reduction in cases with partial observation? Some result has been reported in the literature about the second question, see e.g., [ZCW16]. The main objective of supervisor reduction is to ensure control equivalence between the original supervisor and a reduced supervisor. The fundamental questions are (1) Q1: what information ensures control equivalence, even under partial observation, and (2) Q2: what information determines the reduction rate, which is the main performance index of supervisor reduction. After so many years since [10] [9] were published, these questions are still open. In this paper we would like to provide an answer. We will first propose a generalized supervisor reduction theory, which is applicable to all feasible supervisors, regardless of whether they are under full observation or partial observation - in the latter case, a supervisor is in general not a sublanguage of the plant. We will show that for each feasible supervisor S of a plant G, there exists a feasible supervisor SUPER derivable from subset construction on the synchronous product of G and S such that all feasible supervisors that

4 are control equivalent to S with respect to G and normal with respect to S, i.e., all transitions in those supervisors are not redundant, can be derived via quotient construction based on a properly chosen control cover on SUPER. This result will answer our first question: (Q1) what information is critical for ensuring control equivalence. After that, we will define a partial order on those feasible supervisors by using the key information about event enabling/disabling and state marking such that for any two control equivalent supervisors S 1 and S 2 with respect to G, if S 1 is finer than S 2, i.e., S 1 S 2, then the minimum reduced supervisor induced by a minimum control cover on S 1 is no bigger than the one induced by a minimum control cover on S 2. This result provides an answer to the second question: (Q2) what information determines the reduction rate. As a direct consequence of this result, as long as control equivalence holds, a feasible supervisor under full observation always results in a reduced supervisor no bigger than the one induced from a supervisor under partial observation. The whole theory is independent of a specific choice of the observability definition such as observability [4], normality [4] or relative observability [2] - these definitions are lumped into the property of control feasibility, which states that a feasible supervisor must apply the same control law to all transitional sequences which cannot be distinguished based on observations. The remaining of the paper is organized as follows. In Section II, we provide preliminaries on supervisor reduction. In Section III we discuss critical information for ensuring control equivalence. Then in Section IV we talk about information that determines reduction efficiency. We draw conclusions in Section V. II. PRELIMINARIES ON SUPERVISOR REDUCTION Given an arbitrary finite alphabet Σ, let Σ be the free monoid with the empty string ɛ being the unit element and the string concatenation being the monoid operation. Given two strings s, t Σ, s is called a prefix substring of t, written as s t, if there exists s Σ such that ss = t, where ss denotes the concatenation of s and s. Any subset L Σ is called a language. The prefix closure of L is defined as L = {s Σ ( t L) s t} Σ. Given two languages L, L Σ, let LL := {ss Σ s L s L } denote the concatenation of two sets. Let Σ Σ. A mapping P : Σ Σ is called the natural projection with respect to (Σ, Σ ), if

5 1) P (ɛ) = ɛ, σ if σ Σ, 2) ( σ Σ) P (σ) := ɛ otherwise, 3) ( sσ Σ ) P (sσ) = P (s)p (σ). Given a language L Σ, P (L) := {P (s) Σ s L}. The inverse image mapping of P is P 1 : 2 Σ 2 Σ : L P 1 (L) := {s Σ P (s) L}. Given L 1 Σ 1 and L 2 Σ 2, the synchronous product of L 1 and L 2 is defined as L 1 L 2 := P 1 1 (L 1 ) P 1 2 (L 2 ), where P 1 : (Σ 1 Σ 2 ) Σ 1 and P 2 : (Σ 1 Σ 2 ) Σ 2 are natural projections. Clearly, is commutative and associative. A plant is modelled as a deterministic finite-state automaton, G = (X, Σ, ξ, x 0, X m ), where X stands for the state set, Σ for the alphabet, ξ : X Σ X for the (partial) transition function, x 0 for the initial state and X m X for the marker state set. Here we follow the notation system in [11] and use ξ(x, σ)! to denote that the transition ξ(x, σ) is defined. The domain of ξ can be extended to X Σ, where ξ(x, ɛ) = x for all x X, and ξ(x, sσ) := ξ(ξ(x, s), σ). The closed behavior of G is defined as L(G) := {s Σ ξ(x 0, s)!}, and the marked behavior of G is L m (G) := {s L(G) ξ(x 0, s) X m }. G is nonblocking if L m (G) = L(G). We say G is reachable if for each x X there exists s L(G) such that ξ(x 0, s) = x. From now one we will only consider reachable automata. We will use X to denote the size of the state set X. In some circumstances, when the state set is not explicitly mentioned, we also use G to denote the size of an automaton, which is equal to the size of its state set. Given two finite-state automata G i = (X i, Σ i, ξ i, x i,0, X i,m ) (i = 1, 2), the synchronous product of G 1 and G 2, denoted as G 1 G 2, is a (reachable) finite-state automaton G = (X := X 1 X 2, Σ := Σ 1 Σ 2, ξ := ξ 1 ξ 2, x 0 := (x 1,0, x 2,0 ), X m := X 1,m X 2,m ), where the (partial) transition map ξ is defined as follows: (ξ 1 (x 1, σ), x 2 ) σ Σ 1 \ Σ 2, ( x = (x 1, x 2 ) X)( σ Σ) ξ(x, σ) := (x 1, ξ 2 (x 2, σ)) σ Σ 2 \ Σ 1, (ξ 1 (x 1, σ), ξ 2 (x 2, σ)) σ Σ 1 Σ 2.

6 It has been shown that the automaton synchronous product is commutative and associative. Thus, it can be applied to an arbitrarily finite number of finite-state automata. In this paper we will only focus finite-state automata, whose alphabets are the same. In this case, a transition is allowed in the synchronous product if all component automata allow it. Let Σ = Σ c Σ uc = Σ o Σ uo, where disjoint Σ c (Σ o ) and Σ uc (Σ uo ) denote respectively the sets of controllable (observable) and uncontrollable (unobservable) events. Let Γ := {γ Σ Σ uc γ} be the collection of all control patterns. A (feasible) supervisor of G under partial observation P o : Σ Σ o is defined as a finite-state automaton S = (Z, Σ, δ, z o, Z m ) such that [Control Existence] ( z Z) {σ Σ δ(z, σ)!} Γ, [Control Feasibility] ( s, s L(S)) P o (s) = P o (s ) δ(z 0, s) = δ(z 0, s ). The first property says that a supervisor can only disable controllable events, thus, all uncontrollable events must be allowed in the control pattern (or command) at each state z. This property can be ensured by enforcing controllability [6] on the closed-loop system behaviors. The second property says that a supervisor will issue the same control pattern (or command) to strings, which are observation equivalent under P o. This property ensures implementation feasibility of the supervisor, and can be enforced by various types of observability properties proposed in the Ramadge-Wonham supervisor control paradigm, e.g., observability [4], normality [4], and relative observability [2]. It can be checked that the second property implies that ( z Z)( σ Σ uo ) δ(z, σ)! δ(z, σ) = z, namely unobservable events can only be selflooped at some states, and any transition between two different states must be observable. The closed-loop behavior of the system is denoted by two languages: the closed behavior L(G S) = L(G) L(S) and the marked behavior L m (G S) = L m (G) L m (S). To illustrate the aforementioned concepts and facilitate subsequent development, we use a simple running example of a single-tank system depicted in Figure 1, which consists of one water supply source whose supply rate is q i, one tank, and one control valve at the bottom of the tank controlling the outgoing flow rate q o, whose value depends on the valve opening and the water level h. We assume that the valve can only be fully open or fully closed to simplify our

7 Fig. 1. Example 1: A single-tank system illustration, and in case of a full opening, the water level h can only go down. The water level h can be measured, whose value can trigger some predefined events, denoting the water levels: low (h=l), medium (h=m), high (h=h), and extremely high (h=eh). A simple plant model G of the system is depicted in Figure 2, where the alphabet Σ contains all events shown in the figure. Fig. 2. Example 1: Automaton model of the plant G The actions of opening the valve (q o = 1) and closing the valve (q o = 0) are controllable but unobservable, and all water level events are observable but uncontrollable. In the model we use a shaded oval to denote a marker state, i.e., state 5 and state 9 in Figure 2. Assume that we do not want the water level to be extremely high, i.e., the event h=eh should not occur. To prevent state 9 from being reached, we compose a requirement E shown in Figure 3, whose alphabet

8 is {h=l, h=m, h=h, h=eh}, but the event h=em is never allowed in the model. A controllable and observable sublanguage, i.e., a closed-loop behavior K = L m (G S), can be synthesized by using the standard Ramadge-Wonham supervisory control paradigm, which is also depicted in Figure 3. The corresonding feasible supervisor S via subset construction on K is depicted Fig. 3. Example 1: Automaton models of a requirement E (Left) and the controllable and observable sublanguage K (Right) in Figure 4. We can see that in S all unobservable events are selflooped at some states, and Fig. 4. Example 1: A feasible supervisor S

9 transitions between different states are all labeled by observable events. For a plant G, there may exist more than one supervisor that can fulfil a control objective, e.g., to ensure the closed-loop system behavior to be contained in a predefined requirement language E Σ. Two supervisors S 1 and S 2 of G are control equivalent [9] if L(G S 1 ) = L(G S 2 ) and L m (G S 1 ) = L m (G S 2 ). Let C(G, S) be the collection of all feasible supervisors of G under partial observation P o, which are control equivalent to a given supervisor S. It is desirbale to find one supervisor S F(G, S) such that for all S F(G, S) we have S S, i.e., the supervisor S has the minimum number of states. Unfortunately, it has been shown in [9] that finding S is NP-hard, even for a supervisor under full observation, which relies on the concept of control covers - each control cover is a group of states in S that are control compatible,whose exact meaning will be explained shortly. Thus, by groupong those compatible states of S together, we may get a new supervisor S such that (1) S is control equivalent to S; (2) S < S (ideally, S S ). In the next couple of sections we will investigate which information is responsible for control consistency, and which is for size reduction. III. INFORMATION THAT ENSURES CONTROL EQUIVALENCE Given a plant G = (X, Σ, ξ, x 0, X m ) and a supervisor S = (Z, Σ, δ, z 0, Z m ), at each state z Z there are four pieces of information shown below: Let En : Z 2 Σ with z En(z) := {σ Σ δ(z, σ)!} be the (S-)enabled event set at state z Z. Let D : Z 2 Σ with z D(z) := {σ Σ δ(z, σ)! ( sσ L(G)) δ(z 0, s) = z} be the (S-)disabled event set at state z Z. Let M : Z {true, false} with z M(z) := true if ( s L m (G S)) δ(z 0, s) = z be the S-marking indicator at state z Z.

10 Let T : Z {true, false} with z T (z) := true if ( s L m (G)) δ(z 0, s) = z be the G-marking indicator at state z Z. The (S )enabled event sets can be easily obtained by simply checking the transition structure of S. To determine other sets for each state z Z, we can first construct the synchronous product G S, and then check each state tuple (x, z) in the product associated with the state z Z. As an illustration, let s revisit that supervisor S for the single-tank system depicted in Figure 4. By undertaking the synchronous product G S we can obtain the transition structure recognizing K shown in the right picture of Figure 3. From that structure we can get the following: En(z 0 ) = {h=l, h=m}, D(z 0 ) =, M(z 0 ) = false, T (z 0 ) = false, En(z 1 ) = {q 0 =0, q 0 =1, h=l, h=m}, D(z 1 ) =, M(z 1 ) = false, T (z 1 ) = false, En(z 2 ) = {q 0 =0, q 0 =1, h=l, h=m, h=h}, D(z 2 ) =, M(z 2 ) = true, T (z 2 ) = true, En(z 3 ) = {q 0 =1, h=m, h=h}, D(z 3 ) = {q 0 =0}, M(z 3 ) = false, T (z 3 ) = false. Let R Z Z be a binary relation, where (z, z ) R iff the following two properties hold: 1) En(z) D(z ) = En(z ) D(z) =, 2) T (z) = T (z ) M(z) = M(z ). The first condition requires that any event enabled at one state cannot be disabled at the other state. The second condition requires that both states must have the same marking status, if they are reachable by strings from the marked behavior of G. Notice that R is not transitive, thus, it is not an equivalence relation. Any two states satisfying R may potentially be merged together, if their suffix behaviors are compatible, which is precisely captured in the following concept. Definition 1: A cover C = {Z i Z i I} of Z is a control cover on S if 1) ( i I) Z i ( z, z Z i ) (z, z ) R, 2) ( i I)( σ Σ)( j I)[( z Z i )δ(z, σ)! δ(z, σ) Z j ]. S C Given a control cover C = {Z i Z i I} on S, we construct an induced supervisor = (I, Σ, κ, i 0, I m ), where i 0 I such that z 0 Z i0, I m := {i I Z i Z m }, and

11 κ : I Σ I is the partial transition map such that for each i I and σ Σ, κ(i, σ) := j if j is chosen to satisfy the following property: ( z Z i )δ(x, σ) Z j [( z Z i ) δ(z, σ)! δ(z, σ) Z j ]. In general, there may exist more than one choice of j satisfying the above property. A random selection among multiple choices is usually adopted. We now have the first result. Theorem 1: S C constructed above is a feasible supervisor, which is control equivalent to S. Proof: 1. We first claim that L m (G S) L m (G S C ). Let s L m (G S). If s = ɛ, then z 0 Z m. Since z 0 Z i0, we have Z i0 Z m. Therefore i 0 I m, namely ɛ L m (S C ). Let s = σ 0 σ k (k > 0). Because we have δ(z 0, σ. 0)!, δ(z 0, σ 0 σ 1 )!,, δ(z 0, σ 0 σ 1 σ k )!, δ(z 0, σ 0 )! and δ(z j, σ j )! with z j+1 = δ(z 0, σ 0 σ j ), j = 1,, k Since {Z i li I} is a control cover on Z, by Definition 1 and the definition of κ we have ( j : 0 j k)( i j, i j+1 I)z j Z ij z j+1 Z ij+1 κ(i j, σ j ) = i j+1. Therefore, κ(i 0, s)!. Since s L m (G S), we have κ(i 0, s) Z m. Therefore s L m (G S C ), namely L m (G S) L m (G S C ). By taking the prefix closure on both sides, and recall that L m (G S) = L(G S), we have L(G S) L(G S C ). 2. For the reverse inclusion, let s L(G S C ). If s = ɛ then, as L(G S), s L(G S). Suppose s = σ. Then κ(i 0, s)!, so there are z Z i0 and z Z such that δ(z, σ) = z, namely σ En SC (z). By the definition of the control cover C, σ / D i0 (z 0 ), so either δ(z 0, σ)! or ( t Σ )δ(z 0, t) = z 0 tσ / L(G).

12 But since s = σ L(G S), we conclude δ(z 0, σ)!, namely s L(G S). Of course, by definition of the control cover C, there follows δ(z 0, σ) = z Z i for some i I. In general, let s = σ 0 σ 1 σ k. Repeating the foregoing argument k-fold, we see that s L(G S C ) implies s L(G S). This shows that L(G S C ) L(G S). 3. Let s L m (G S C ). As shown above, δ(z 0, s)! with δ(z 0, s) = z κ(i 0, s). Since κ(i 0, s) I m, there exists z Z κ(i0,s) X m, namely M S (z ) = true. By the definition of control cover, we know that there is s L m (G S) such that δ(z 0, s ) = z, namely T S (z ) = true. At the same time, s L M (G S) implies T S (z) = true. By definition of control cover C, we get M S (z) = M S (z ) = true, namely δ(z 0, s) = z Z m, and s L m (G S), as required. So far we have shown that L(G S) = L(G S C ) and L m (G S) = L m (G S C ). Finally, we need to show that S C is a feasible supervisor, namely those two conditions must hold. The Control Existence condition obviously hold because the construction of S C from S does not disable any event more than S does. Since S is feasible, namely the Control Existence condition holds, we know that this condition must hold for S C. For the second condition of Control Feasibility, notice that all unobservable events are selflooped at some states in S, by the definition of control cover C, it is clear that those unobservable events are also selflooped in some states in S C. Thus, the Control Feasibility condition holds for S C, which completes the proof. Theorem 1 indicates that we can start with any given plant G and feasible supervisor S to generate another feasible supervisor S, which is control equivalent to S with respect to G, by applying the aforementioned construction induced by a properly chosen control cover on S. The interesting part of this story is that we do not need to know how we get that S in the first place. Thus, we have a unified way of undertaking supervisor reduction regardless of whether S is under full observation or partial observation. As an illustration, let s revisit that singletank system, whose feasible supervisor S is depicted in Figure 4. Based on the aforementioned analysis about those four sets, i.e., En(z), D(z), M(z) and T (z), for each state z Z, we can check that the set C := {{z 0, z 1, z 2 }, {z 3 }} is a control cover. The resulting induced supervisor S C is depicted in Figure 5. We can easily check that S C is control equivalent to S with respect to G. From S C we can see that what S really does is to prevent the valve from being closed when the water level is high, which matches our expectation perfectly.

13 Fig. 5. Example 1: An induced supervisor S C Next, we will present a result similar to the Generalized Quotient Theorem in [9]. Definition 2: Given a plant G and a feasible supervisor S, let S = (Z, δ, Σ, z 0, Z m) be another feasible supervisor of G. Then S is normal with respect to S if the following hold: 1) ( z Z )( σ Σ)δ (z, σ)! ( sσ L(G S)) δ (z 0, s) = z, 2) ( z Z m)( s L m (G S)) δ (z 0, s) = z. Definition 3: Given automata G A = (X A, Σ, ξ A, x A,0, X A,m ) and G B = (X B, Σ, ξ B, x B,0, X B,m ), G A is DES-epimorphic to G B under DES-epimorphism θ : X A X B if 1) θ is surjective, 2) θ(x A,0 ) = x B,0 and θ(x A,m ) = X B,m, 3) ( x, x X A )( σ Σ)ξ A (x, σ) = x ξ B (θ(x), σ) = θ(x ), 4) ( x X B )( σ Σ)ξ B (x, σ)! ( x θ 1 (x))ξ A (x, σ)!. In particular, G A is DES-isomorphic to G B if θ : X A X B is bijective. Given a plant G and a feasible supervisor S, by computing the synchronous product of G and S, i.e., G S, we can obtain the closed-loop (closed and marked) behaviours. It is well know that, by applying subset construction on G S with respect to P o : Σ Σ o followed by insering selfloops of projected unobservable events at appropriate states in the resulting automton, we can derive a feasible supervisor, say SUPER, which can be shown control equivalent to S. The

14 following main result shows that any normal feasible supervisor, which is control equivalent to S with respect to G, can be constructed from SUPER by using a proper control cover on S. Theorem 2: Let SUPER be constructed as above. Then for any normal feasible supervisor SIMSUP with respect to S, which is control equivalent to S with respect to G, there exists a control cover C on SUPER such that some induced feasible supervisor S C is DES-isomorphic to SIMSUP. Proof: With SUPER = (Z, Σ, δ, z 0, Z m ) and SIMSUP = (Y, Σ, η, y 0, Y m ), for each y Y, let Z(y) := {z Zl( s L(G S)δ(z 0, s) = z η((y 0, s) = y} and define C := {Z(y)ly Y }. We now check that C is a control cover on SUPER. By normality of SIMSUP, we have Z(y) for all y Y. Since SUPER is obtained by the subset construction, for each z Z, there is s L(G S) = L(G SIMSUP) with δ(z 0, s) = z and η(y 0, s)!. Hence, z Z(η(y 0, s)). This shows that C = {Z(y)ly Y } covers Z. Next, fix y Y and let a, b Z(y) with σ En SUPER (a). We need to show that σ / D SUPER (b). Since SUPER is constructed via subset construction, we know that for all s L(G S), there exists s P 1 o (P o (s)) L(G S) such that s σ L(G S). In addition, δ(z 0, s ) = a. Since a Z(y), there exists ŝ L(G S) such that δ(z 0, ŝ) = a and η(y 0, ŝ) = y. Thus, we know that there exists ŝ P 1 o (P o (ŝ)) L(G S) such that ŝ σ L(G S) and δ(z 0, ŝ ) = a. Since SIMSUP is a feasible supervisor, we know that η(y 0, ŝ ) = y. Thus, η(y, σ)!. Since b Z(y), there exists t L(G S) such that δ(z 0, t) = b and η(y 0, t) = y. If there exists t σ L(G) such that δ(z 0, t ) = b, we know that there must exist ˆt Po 1 (P o (t)) L(G S) such that ˆtσ L(G), δ(z 0, ˆt) = b and, because SIMSUP is a feasible supervisor, we have η(y 0, ˆt) = y. Since ˆtσ L(G SIMSUP) = L(G SUPER), we know that δ(b, σ)!. Thus, σ / D SUPER (b), namely En SUPER (a) D SUPER (b) =, as required. Next, we show that T SUPER (a) = T SUPER (b) M SUPER (a) = M SUPER (b). To this end, let y Y and a, b Z(y) with M SUPER (a) M SUPER (b). Without loss of generality, assume that M SUPER (a) = true and M SUPER (b) = false. Since M SUPER (a) = true, there exists s L m (G S) such that δ(z 0, s) = a. Thus, T SUPER (a) = true. Since a Z(y), we know

15 that there exists s L(G S) such that δ(z 0, s ) = a and η(y 0, s ) = y. Due to the subset construction, we know that there exists ŝ Po 1 (P o (t)) L m (G S) such that δ(z 0, ŝ) = a and, because SIMSUP is a feasible supervisor, we have η(y 0, ŝ) = y. This means y Y m. Since b Z(y), for all t L(G S) with δ(z 0, t) = b, due to the subset construction and SIMSUP is a feasible supervisor, we can deduce that there exists ˆt L(G S) such that δ(z 0, ˆt) = b, η(y 0, ˆt) = y and t L m (G) ˆt L m (G). Since M SUPER (b) = false, we know that ˆt / L m (G S) = L m (G SIMSUP). Since y Y m, we can deduce that ˆt / L m (G). Thus, t / L m (G). Since t is arbitrarily chosen, we know that T SUPER (b) = false. Thus, we have which is equivalent to M SUPER (a) M SUPER (b) T SUPER (a) T SUPER (b), T SUPER (a) = T SUPER (b) M SUPER (a) = M SUPER (b). Finally, we need to show that for each y Y and σ Σ, there exists y Y such that ( z Z(y))δ(z, σ)! δ(z, σ) Z(y ). Let z Z(y) and δ(z, σ)!. Clearly, there exists sσ L(G S) such that δ(z 0, s) = z. By using an argument similar as above, we know that there exists s Po 1 (P o (s)) L(G S) such that δ(z 0, s ) = z, η(y 0, s ) = y, and s σ L(G S). Clearly, η(y, σ)!. Thus, δ(z, σ) Z(η(y, σ)), as required. So far we have shown that C is a control cover on SUPER. By Theorem 1 we know that an induced S C is a feasible supervisor, which is control equivalent to S with respect to G. In addition, there exists a natural DES-isomorphism θ : Y 2 Z : y θ(y) := Z(y). Thus, S C is DES-isomorphic to SIMSUP, which completes the proof. Up to now we have developed a general theory on supervisor reduction, which unifies both the full observation case and the partial observation case. As a matter of fact, we can see that the concrete way of ensuring observability in a feasible supervisor is not important in achieving control equivalence during supervisor reduction. By knowing the plant G and a feasible supervisor S will be sufficient for us to construct a feasible supervisor, which is control equivalent to S, and hopefully has a (significantly) smaller size.

16 IV. INFORMATION THAT DETERMINES REDUCTION EFFICIENCY Our case studies indicate that a supervisor with full observation usually allows a much higher reduction rate than what a supervisor with partial observation allows. An interesting question is what causes such discrepancy. In this section we will try to answer this question, which provides a deep insight on the actual effects of full/partial observations on supervisor reduction. Given a plant G and a feasible supervisor S, each feasible supervisor S F(G, S) carried four pieces of critical information captured by (En S, D S, M S, T S ). We define a partial order among elements of F(G, S), where for all S i = (Z i, Σ, δ i, z i,0, Z i,m ) F(G, S) (i = 1, 2), we say S 1 is finer than S 2, denoted as S 1 S 2, if for all s L(G S) let z 1 := δ 1 (z 1,0, s) and z 2 = δ 2 (z 2,0, s), and we have En S1 (z 1 ) En S2 (z 2 ) and D S1 (z 1 ) D S2 (z 2 ), M S1 (z 1 ) = true M S2 (z 2 ) = true, T S1 (z 1 ) = true T S2 (z 2 ) = true. In other words, S 1 is finer than S 2 if for each pair of states z 1 in S 1 and z 2 in S 2 reachable by the same string in L(G S), the enaling and disablig event sets at z 1 are subsets of those at z 2, and the values of the S-marking indicator and the G-marking indicator at z 1 are true imply that those values at z 2 are also true. Informally speaking, S 1 carries less redundant (or finer) information than what S 2 does, in terms of ensuring control equivalence. We now use a simple example depicted in Figure 6 to illustrate this idea of partial order over control equivalent feasible supervisors. The alphabet of the plant G is Σ = {a, b, c, d 1, d 2, e}, Σ c = {d 1, d 2 }, and all events are observable for the sake of simplicity. It is not difficult to check that S 1 and S 2 are control equivalent, which essentially disable events d 1 and d 2 after firing the event c. To check that S 1 is finer than S 2, we notice that we only need to check those conditions for two strings s = ɛ and s = c because for other strings in L(G S), S 1 and S 2 are the same. For s = ɛ, we have z 1 = 0 in S 1 and z 2 = 0 in S 2. Clearly, En S1 (z 1 ) = {a, b, c} = En S1 (z 2 ), and D S1 (z 1 ) = = D S2 (z 2 ). In addition, we can check that M S1 (z 1 ) = false and M S2 (z 2 ) = true, and T S1 (z 1 ) = false and T S2 (z 2 ) = true. Thus, those conditions hold for s = ɛ. For s = c we have z 1 = 3 in S 1 and z 2 = 0 in S 2. Clearly, En S1 (z 1 ) = En S1 (z 2 ) = {a, b, c}, and

17 Fig. 6. Example 2: A plant G (left), supervisors S 1 (right top) and S 2 (right bottom) D S1 (z 1 ) = {d 1, d 2 } = D S2 (z 2 ). In addition, we can check that M S1 (z 1 ) = true = M S2 (z 2 ), and T S1 (z 1 ) = true = T S2 (z 2 ). Thus, we can conclude that S 1 is finer than S 2. Proposition 1: Given a plant G and a feasible supervisor S, let SUPER = (Ẑ, Σ, ˆδ, ẑ 0, Ẑm) be constructed above. Then for all s L(G S), let z = ˆδ(ẑ 0, s) and we have the following: 1) En SUPER (z) = {σ Σ ( s σ L(G S)) P o (s) = P o (s )}, 2) D SUPER (z) = {σ Σ ( s σ L(G)) P o (s) = P o (s ) s L(S) s σ / L(S)}. Proof: Recall that SUPER is obtained by applying subset construction on G S. Thus, we know that the following properties hold: (a) ( σ En SUPER (z))( s σ L(G S)) ˆδ(ẑ 0, s ) = z, (b) ( s, s L(G S))P o (s ) = P o (s ) ˆδ(ẑ 0, s ) = ˆδ(ẑ 0, s ), (c) for any two strings s, s L(G S), if ˆδ(ẑ 0, s ) = ˆδ(ẑ 0, s ), then {σ Σ ( tσ L(G S))P o (s ) = P o (t)} = {σ Σ ( t σ L(G S))P o (s ) = P o (t )}.

18 Thus, we know that En SUPER (z) = s L(G S):ˆδ(ẑ 0,s )=z {σ Σ s σ L(G S)} by Property (a) = s L(G S):ˆδ(ẑ 0,s )=z {σ Σ ( tσ L(G S))P o(s ) = P o (t)} by Property (b) = {σ Σ ( s σ L(G S))P o (s) = P o (s )} by Property (c) from which we conclude that statement 1) is true. To show statement 2), let σ D SUPER (z). Then ˆδ(z, σ )! but there exists s σ L(G) such that ˆδ(ẑ 0, s ) = z. Clearly, s L(G S) but s σ / L(S). In addition, due to the natural of subset construction, we can choose s in such a way that P o (s) = P o (s ). Thus, we know that σ {σ Σ ( s σ L(G)) P o (s) = P o (s ) s L(S) s σ / L(S)}, which means D SUPER (z) {σ Σ ( s σ L(G)) P o (s) = P o (s ) s L(S) s σ / L(S)}. To show the opposite direction of set inclusion, let σ {σ Σ ( s σ L(G)) P o (s) = P o (s ) s L(S) s σ / L(S)}. Then there exists s σ L(G) such that P o (s) = P o (s ), s L(S) and s σ / L(S). By Property (b) we know that ˆδ(ẑ 0, s ) = z. Since S is a feasible supervisor, by the property of control feasibility, we know that for all s L(S) with P o (s) = P o (s ), if s σ / L(S). Thus, we can conclude that ˆδ(z, σ)!. Thus, σ D SUPER (z), which means D SUPER (z) {σ Σ ( s σ L(G)) P o (s) = P o (s ) s L(S) s σ / L(S)}. Theorem 3: Given a plant G and a feasible supervisor S, let SUPER be constructed above. Then for all S F(G, S), we have SUPER S. Proof: For an arbitrary feasible supervisor S F(G, S), Properties (a)-(b) in Proposition 1 still hold. But Property (c) does not necessarily hold. For this reason, by (the first part of the proof of) Proposition 1, it is not difficult to see that for all s L(G S) let z 1 = ˆδ(ẑ 0, s) and z 2 = δ 2 (z 2,0, s), and we have En SUPER (z 1 ) En S2 (z 2 ). By using a similar argument as in the second part of the proof in Proposition 1, and the fact that the choice of s to ensure P o (s) = P o (s ) may not be feasible for an arbitrary feasible supervisor S, we can easily conclude that D SUPER (z 1 ) D S2 (z 2 ). By definitions of functions of M and T, we can check that M SUPER (z 1 ) = true implies M S2 (z 2 ) = true, and T SUPER (z 1 ) = true implies T S2 (z 2 ) = true. Thus, we have SUPER S.

19 Theorem 3 indicates that for all feasible supervisors in F(G, S), SUPER has the finest information, which still ensures control equivalence. The interesting point is that for any feasible supervisor S F(G, S), we can construct SUPER by applying subset construction on G S, namely we can always obtain the finest feasible supervisor, which is control equivalent to S with respect to G. Nevertheless, the size of SUPER could be big for a practical application. Thus, supervisor reduction may be directly applied to any attainable feasible supervisor S F(G, S). The following result indicates that the supervisor reduction rate, which is defined as the ratio of the size of a (minimally) reduced supervisor and the size of the supervisor that we start with, solely depends on the fineness of the key information specified by those four functions - the finer the information, the higher the reduction rate. Theorem 4: Given a plant G and a feasible supervisor S, let S 1, S 2 F(G, S) be normal with respect to S, and assume that S 1 S 2. Let C 1 and C 2 be minimum control covers of S 1 and S 2 respectively. Then C 1 C 2. Proof: Let S j = (Z j, Σ, δ j, z j,0, Z j,m ) (j = 1, 2), and R j Z j Z j the compatibility binary relation. Let C 2 = {Z 2,i Z 2 i I 2 } be a minimum control cover on S 2. By Definition 1, 1) ( i I 2 ) Z 2,i ( z, z Z 2,i ) (z, z ) R 2, 2) ( i I 2 )( σ Σ)( j I 2 )[( z Z 2,i )δ 2 (z, σ)! δ 2 (z, σ) Z 2,j ]. Since S 2 is normal with respect to S, we can derive that for each z Z 2 there exists s L(G S) such that δ 2 (z 2,0, s) = z. For each Z 2,i C 2, let L(Z 2,i ) := {s L(G S) δ 2 (z 2,0, s) Z 2,i } (Σ \ L(G)). We can easily check that En S2 (Z 2,i ) := z Z2,i En S2 (z) = {σ Σ sσ L(G S) s L(Z 2,i )}. Since S 1, S 2 F(G, S), we know that L(Z 2,i ) L(G S 2 ) = L(G S 1 ). Let Ĉ 1 := {Z 1,i Z 1 [z Z 1,i ( s L(Z 2,i ))δ 1 (z 1,0, s) = z] i I 2 }. We now show that Ĉ1 is a control cover of S 1. First, we show that Ĉ1 is a cover of Z 1. To see this, notice that i I2 L(Z 2,i ) = L(G S) = L(G S 2 ) = L(G S 1 ). Since S 1 is also normal with respect to S, we know that Ĉ1 must be a cover of Z 1.

20 To show that Ĉ1 is a control cover of S 1, we need to show that those two conditions hold. To see the satisfaction of the first condition, for each Z 1,i Ĉ1 and for all z 1, z 1 Z 1,i, we know that there exist s, s L(Z 2,i ) such that δ 1 (z 1,0, s) = z 1 and δ 1 (z 1,0, s ) = z 1. On the other hand, let z 2 = δ 2 (z 2,0, s) and z 2 = δ 2 (z 2,0, s ). Since S 1 S 2, we know that En S1 (z 1 ) En S2 (z 2 ) and D S1 (z 1 ) D S2 (z 2 ), M S1 (z 1 ) = true M S2 (z 2 ) = true, T S1 (z 1 ) = true T S2 (z 2 ) = true, and En S1 (z 1) En S2 (z 2) and D S1 (z 1) D S2 (z 2), M S1 (z 1) = true M S2 (z 2) = true, T S1 (z 1) = true T S2 (z 2) = true. Since (z 2, z 2) R 2, we have En S2 (z 2 ) D S2 (z 2) = En S2 (z 2) D S2 (z 2 ) =, T S2 (z 2 ) = T S2 (z 2) M S2 (z 2 ) = M S2 (z 2). Thus, we can easily conclude that En S1 (z 1 ) D S1 (z 1) = En S1 (z 1) D S1 (z 1 ) =. To show that T S1 (z 1 ) = T S1 (z 1) M S1 (z 1 ) = M S1 (z 1), it is clear that if T S1 (z 1 ) = T S1 (z 1) = false, then by the definition of M S1 we know that M S1 (z 1 ) = M S1 (z 1) = false. So we only need to show that when T S1 (z 1 ) = T S1 (z 1) = true, we have M S1 (z 1 ) = M S1 (z 1). Suppose it is not true. Then with loss of generality, let M S1 (z 1 ) = true and M S1 (z 1) = false. Since M S1 (z 1) = false and T S1 (z 1) = true, we can conclude that M S2 (z 2) = false due to the control equivalence of S 1 and S 2. But on the other hand, since S 1 S 2, we know that M S1 (z 1 ) = true implies that M S2 (z 2 ) = true. Thus, we have T S2 (z 2 ) = T S2 (z 2) = true, M S2 (z 2 ) = true, and M S2 (z 2) = false, which contradicts our assumption that T S2 (z 2 ) = T S2 (z 2) M S2 (z 2 ) = M S2 (z 2). Thus, we can only have M S1 (z 1 ) = M S1 (z 1), which means (z 1, z 1) R 1.

21 To see the satisfaction of the second condition, for each i I 2, σ Σ, we know that there exists j I 2 such that ( z Z 2,i )δ 2 (z, σ)! δ 2 (z, σ) Z 2,j. For each z Z 1,i, if δ 1 (z, σ)!, there there are two cases. Case 1: there exists s L(Z 2,i ) such that δ 1 (z 1,0, s) = z and sσ L(G S). Since δ 2 (z 2,i, s) = z Z 2,i and δ 2 (z, σ)!, we know that sσ L(Z 2,j ). Thus, δ 1 (z, σ) Z 1,j. Case 2: for all s L(Z 2,i ) with δ 1 (z 1,0, s ) = z, we have s σ / L(G S). Then clearly s σ / L(G) because otherwise the first condition of control cover will be violated. Thus, we still have that s σ L(Z 2,j ). Thus, δ 1 (z, σ) Z 1,j. So in either case, we can conclude that ( z Z 1,i )δ 1 (z, σ)! δ 1 (z, σ) Z 1,j, which completes our proof that Ĉ1 is a contol cover of S 1. Clearly, Ĉ1 = C 2. On the other hand, if C 1 is a minimum control cover of S 1, we know that C 1 Ĉ1. Thus, we can conclude that C 1 C 2. As an illustration, in Example 2 depicted in Figure 6 we know that S 1 S 2. We can easily compute Ŝ1 and Ŝ2, which are the minimum feasibles supervisors control equivalent to S 1 and S 2 respectively. The results are shown in Figure 7 below. It is clear that Ŝ1 = 2 < Ŝ2 = 3, which matches the conclusion made in Theorem 4. With Theorem 1 and Theorem 4 we are finally able to answer the question: why the reduction rate is higher for a supervisor under full observation than that for a supervisor under partial observation. Given a plant G and a feasible supervisor S f, if L m (G S f ) happens to be observable with respect to (G, P o ) [4] for some observable alphabet Σ o Σ, then there exists another feasible supervisor S p such that S p is control equivalent to S f with respect to G, namely L(G S f ) = L(G S p ) and L m (G S f ) = L m (G S p ). But notice that S f and S p work under different observation scenarios. The interesting part is that the same supervisor reduction procedure can be applied to both S f and S p, which again indicates that a specific choice of observability to derive S p is not critical. We have the following result.

22 Fig. 7. Example 2: Reduced supervisors Ŝ1 (right top) and Ŝ2 (right bottom) Corollary 1: Given a plant G, let S f and S p be constructed above. Assume that S f is DESisomorphic to G S f and S p is DES-isomorphic to the subset construction of G S p. Let SIMSUP f and SIMSUP p be the minimum reduced supervisors of S f and S p respectively, based on control cover construction. Then we have SIMSUP f SIMSUP p. Proof: Since S f is DES-isomorphic to G S f and S p is DES-isomorphic to the subset construction of G S p, both S f and S p are the finest supervisor of their kinds. Since S f and S p are control equivalent with respect to G, it is not difficult to check that for all s L(G S f ) = L(G S p ), let z f := δ f (z f,0, s) and z p = δ p (z p,0, s), and we have 1) En Sf (z f ) En Sp (z p ) = s P 1 o (P o(s)) L(G S p) En S f (δ f (z f,0, s )), 2) D Sf (z f ) D Sp (z p ) = s P 1 o (P o(s)) L(G S p) D S f (δ f (z f,0, s )), 3) M Sf (z f ) = M Sp (z p ), T Sf (z f ) = T Sp (z p ). Thus, we can derive that S f S p, which by Theorem 4 we can derive that the minimum control covers C f of S f and C p of S p satisfie C f C p. Thus, by Theorem 1, we know that SIMSUP f SIMSUP p. Corollary 1 indicates that, for two control equivalent feasible supervisors, the one under full

23 observation always results in a (typically much) smaller reduced supervisor than what the one under partial observation can achieve. For example, in the aforementioned Example 2, no matter whether the event c is observable or unobservable, the closed-loop behavior L m (G S) is always controllable and observable, thus, S 1 and S 2 depicted in Figure 6 can be considered as supervisors under full observation and partial observation, respectively. It is clear that the supervisor S 1 under full observation results in a smaller reduced supervisor Ŝ1, which is control equivalent to S 1. V. CONCLUSIONS So far we have developed a generalized supervisor reduction theory, which is applicable to all feasible supervisors, regardless of whether they are under full observation or partial observation. We have shown that the generalized quotient theorem in [9] for supervisors with full observation has a counterpart in the generalized reduction theory, which states that for each feasible supervisor S of a plant G, there exists a feasible supervisor SUPER derivable from subset construction on G S such that all feasible supervisors that are control equivalent to S with respect to G and normal with respect to S can be derived via quotient construction based on a properly chosen control cover on SUPER. In addition, we have provided a specific way of ordering those feasible supervisors by using the key information described in those four functions such that for any two control equivalent supervisors S 1 and S 2 with respect to (G, S), if S 1 is finer than S 2, i.e., S 1 S 2, then the minimum reduced supervisor induced from S 1 is no bigger than the one induced from S 2. As a direct consequence of this result together with Theorem 1 on the quotient construction, we know that, as long as control equivalence holds, a feasible supervisor under full observation always results in a reduced supervisor no bigger than the one induced from a supervisor under partial observation. Our theory indicates that a specific choice of observability, e.g., observability, normality or relative observability, does not play any significant role in supervisor reduction - they are all lumped into the property of control feasibility. REFERENCES [1] K. Cai and W.M. Wonham. Supervisor localization: a top-down approach to distributed control of discrete-event systems. IEEE Trans. Automatic Control, 55(3):605-618, 2010. [2] K.Cai, R. Zhang, W. M. Wonham. Relative observability of discrete-event systems and its supremal sublanguages. IEEE Transactions on Automatic Control, 60(3):659-670, 2013.

24 [3] L. Feng and W.M. Wonham. Supervisory control architecture for discrete-event systems. IEEE Trans. Automatic Control, 53(6):1449-1461, 2008. [4] F. Lin and W. M. Wonham. On observability of discrete-event systems. Information Sciences, 44(3):173-198, 1988. [5] C. H. Papadimitriou. Computational Complexity. Addison Wesley, 1994. [6] P.J. Ramadge and W.M. Wonham. Supervisory control of a class of discrete event systems. SIAM J. Control and Optimization, 25(1):206 230, 1987. [7] R. Su, J.H. van Schuppen and J.E. Rooda. Aggregative synthesis of distributed supervisors based on automaton abstraction. IEEE Trans. Automatic Control, 55(7):1627-1640, 2010. [8] R. Su, J.H. van Schuppen, J.E. Rooda. Maximally permissive coordinated distributed supervisory control of nondeterministic discrete-event systems. Automatica, 48(7):1237-1247, 2012. [9] R. Su, W. M. Wonham. Supervisor reduction for discrete-event systems. Journal of Discrete Event Dynamic Systems, 14(1):31-53, 2004. [10] A. F. Vaz, W. M. Wonham. On supervisor reduction in discrete-event systems. International Journal of Control, 44(2):475-491, 1986. [11] W. M. Wonham. Supervisory Control of Discrete-Event Systems. Systems Control Group, Dept. of ECE, University of Toronto. URL: www.control.utoronto.ca/des, 2014. [12] W.M. Wonham and P.J. Ramadge. On the supremal controllable sublanguage of a given language. SIAM J. Control and Optimization, 25(3):637 659, 1987.